1 Introduction
In engineering design, the communication between Remote Terminal Units (RTUs) and PLCs is frequently encountered. Both PLCs and RTUs are suitable for harsh industrial environments, especially in underground coal mine substations, where remote terminals are typically installed. Sometimes, it's necessary to integrate a substation centralized control system into an existing PLC control system. In this case, a PLC can be used as the centralized control unit, paired with a touchscreen as the HMI, and centralized control of the underground substation can be achieved through communication between the PLC and the RTU. RTUs primarily use two types of communication protocols: cyclic data transmission protocols and query-response transmission protocols. The CDT protocol belongs to the former. This article mainly analyzes how to use the Siemens CP340 communication module to parse the CDT protocol.
A brief introduction to the 2CDT specification
The Ministry-issued CDT Cyclic Protocol is a set of remote control protocol standards promulgated by the Ministry of Electric Power in the early days. It is one of the protocols widely used in the power system. It specifies the functions, frame structure, information word structure and transmission rules of the cyclic remote control protocol in the power grid data acquisition and monitoring system. It is applicable to point-to-point remote control channel structure and remote control equipment and system transmitted in a cyclic byte synchronous manner. It is mostly used for communication between RTU equipment and the background master station [1].
3CDT Specification Features
The CDT protocol transmits data cyclically in frame format. Depending on the type and importance of the data to be transmitted, it is divided into: important telemetry (A-frame), minor telemetry (B-frame), general telemetry (C-frame), remote signaling status (D1-frame), power pulse data (D2-frame), and event sequence record (E-frame). The frame structure is shown in Table 1. Each frame begins with a synchronization word and contains a control word; except for a few frames, all should contain an information word. The number of information words is set according to actual needs, and the frame length is variable.
4-frame series transmission order
The transmission order of frames can be arranged as needed, typically in the following three ways [1]:
(1) Fixed cyclic transmission, used to transmit frames a, b, c, d1, and d2.
(2) Frame insertion transmission is used to transmit e-frames (the length of an e-frame must not exceed that of an a-frame). SOE information may appear continuously. When it is time to send an e-frame, the transmission limit is set by a software pointer. Subsequent e-frames can be sent in the next e-frame.
(3) Information words are inserted and transmitted immediately. The specific insertion method is as follows: ① As soon as the return information of position change remote signaling, remote control command, and elevation command is generated, the information words of the current frame should be inserted and transmitted. If the current frame is frame a, b, c, or d, the original information words are replaced, and the inserted information is repeated three times in the current frame (the original frame length remains unchanged and it is not allowed to cross frames) so that the receiving end can make a decision using the 3-out-of-2 principle. If the space in the current frame is not enough to repeat three times in a row, then all of them are inserted and transmitted in the next frame. If the current frame is frame e, it should be inserted between the complete words of SOE, and the frame length is increased accordingly. ② The clock return information of the time synchronization substation is also inserted and transmitted, but only once. The rest is the same as above.
Figure 1 shows that all frame types need to be transmitted. When it is necessary to transmit an e-frame in the frame insertion mode, the transmission is inserted at the position indicated by the arrow and transmitted three times as required.
Figure 2 illustrates a schematic diagram when remote signaling changes require insertion into the transmission. This insertion is not done frame-by-frame, but word-by-word. It is first inserted into the current frame and transmitted three times (replacing three original information words). If the current frame is insufficient for three transmissions, all information words are moved to the next frame. The clock return information from the time-synchronized substation is only transmitted once. If the inserted frames are a, b, c, and d, the frame length remains unchanged after the original information words are replaced.
Figure 3 shows that when remote return information appears, the inserted frame is an e-frame. Therefore, it must be inserted between the complete information recorded in the event sequence, and the frame length is increased accordingly.
Furthermore, upon initial power-up or reset of the substation, the frame series always begins from the first frame, prioritizing the transmission of remote signaling status information to the dispatcher. The downlink channel does not exhibit these issues; commands are sent immediately upon request, and synchronization signals are continuously transmitted when no commands are needed.
5cp340 communication parameter configuration
The programming software for the Siemens S7-300 PLC is STEP 7. First, the PLC hardware is configured, then the software is programmed. The CP340 communication module integrates a serial interface, allowing users to communicate with communication partners in a point-to-point manner. There are three types of CP340 communication processor modules; here, the CP340-RS422/485 is selected. The CP340 connects to the PLC's CPU via the backplane bus. To reduce the CPU module's workload during communication, the CP340 is designed to be intelligent. The processor on the CP340 module is both controlled and autonomous, autonomously managing the serial port's transmission and reception based on commands from the CPU module. The module contains receive and transmit buffers, which establish the connection between the CPU module and the CP340. When sending data, the CPU only needs to write the data to be sent into the transmit buffer, and then the CP340 sends the data in the buffer one by one. When receiving data, the CP340 writes the received data into the receive buffer. The CPU module can read the receive buffer via polling. If the buffer is not empty, the CPU receives the data. Reading and writing to the buffer on the CP340 requires calling dedicated function blocks. The function block for writing to the buffer is called the transmit function block (FB3), and the function block for reading the buffer is called the receive function block (FB2). Before using the CP340, the communication protocol must be selected and parameters must be set. The parameter setting of the CP340 module is simple and integrated into the STEP module.
The parameter configuration function in the software 7 allows for convenient setting of the communication protocol and parameters of the CP340. The communication between the RTU and CP340 is asynchronous serial communication, using the ASCII communication protocol [2]. The serial communication parameters must be set the same as the RTU: baud rate of 4800bps, 8 data bits, 1 stop bit, and no parity. Figure 4 shows the parameter configuration diagram of the CP340 hardware configuration in Step 7.
6. Protocol parsing approach
The realization of remote sensing, remote telemetry, and remote control functions.
Telemetry information is mainly in frames a, b, and c; remote signaling information is in frame d1; power pulse data is in frame d2; and event sequence records are in frame e. The RTU transmits the data to the PLC via a fixed cycle (where SOE uses frame insertion for transmission).
The remote control process requires the PLC to send a downlink remote control command to the RTU; then the RTU sends remote control return information to the PLC via information word insertion; after receiving and confirming the information, the PLC sends a remote control execution command or a cancellation command to the RTU; finally, the RTU executes the remote control command sent by the PLC and sends the remote signal change signal back to the PLC via information word insertion. The entire remote control process is shown in Figure 5.
7PLC Programming
7.1 Main Program
The main program is housed within a function block (fc), executed by the main program block (ob1). The communication program first receives CDT data by calling function block (fb2) and stores it in the data receiving area (db20). Then, it calls the data processing block to retrieve a word (6 bytes) from db20 and search for the synchronization word (eb90).
eb90
eb90). After finding the synchronization word, take the next 6 bytes (control word) and process them. Then, according to the number of information words provided in the control word, process the information words of the frame respectively. When processing the control word and information words, first check the CRC. If there is an error, discard the frame and start looking for the synchronization word of the next frame [3]. The main parts of the program are as follows:
call "rcv_data" // Receive data and store it in db20
call "check_6byte" // Process the data and check if there are 6 bytes.
a“istransneed” // Data needs to be processed
jc_001
jucom
_001: call “check_eb90” // Search for the synchronization word
a“isframetrans” // Frame processing is required
jc_002
jucom
_002: call "contrw_trans" // Control word processing
a“isinfotrans” // Requires information word processing
jc_003
jucom
_003: call "infow_trans" // Message parsing
com: nop0
7.2 Data Reception and Processing
Since the 300 PLC processes data much faster than the RTU transmits data, there is no risk of data overwriting during RTU transmission. A 120-byte buffer is created in DB20 as a buffer for the CPU to receive RTU data. Because the CDT protocol specifies that synchronization words, control words, and information words are all 6 bytes long, the data buffer can store 20 words. The data receiving block (rcv_data) receives data from the RTU and transfers it to the data buffer DB20. The data processing block (check_6byte) checks if there are six bytes in DB20. If there are six bytes, the "istransneeded" bit is set, opening a path for the subsequent synchronization word lookup; if there are not six bytes, the subroutine function block ends, waiting for the PLC to receive data in the next scan cycle.
7.3 Synchronization Word Search
When the above procedure determines that there are more than 6 bytes of data in the data buffer, it will call the synchronization word lookup block (check_eb90). The primary issue in processing the retrieved data is finding the synchronization word. This is done by sequentially retrieving six bytes and checking if they are synchronization words (three sets of eb90h). If not, the first byte is discarded, and the next byte is retrieved and checked again. This process is repeated in each PLC scan cycle until a synchronization word is found. When two synchronization words are found, the data between the synchronization words is transferred to the control/information word db area, and the "frame processing required" flag (isframetrans) is set.
7.4 Control Word Processing
When `isframetrans` is 1, the program jumps to the control word processing block (`contrw_trans`), which begins control word processing for the data frame. First, six bytes are retrieved and their CRC8 checksum is performed using the CRC checksum block. If the checksum is correct, these six bytes constitute the control word. The number of information words in the data frame is obtained from the third byte of the control word and stored in the variable `info_len`. Different flags are set based on the frame type in the second byte of the control word, allowing the information word processing block to retrieve different telemetry, telesignaling, and remote control return information. Finally, the information word processing flag (`isinfotrans`) is set. If incorrect, the "frame processing required" flag (`isframetrans`) is reset, and the search for the synchronization word restarts.
7.5 Parsing of Information Words
Based on the frame type and the total length of the extracted information words (info_len) provided by the control word processing block, the parsing of information words can begin. Each time, six bytes are extracted, and a CRC checksum is called to perform a CRC8 check. If the checksum fails, the information word is discarded, and the next information word is extracted for parsing. If the checksum is correct, the information word is valid. Different information words are processed according to the frame type. The first byte of the information word is the function code, which determines the specific meaning of the information word. This allows the information data in the information word to be extracted and stored in a specific database area of the PLC. Regardless of whether the CRC8 checksum is correct, the number of processed information words is counted. When the count value is the same as the total length of the information words (info_len), it means that the data frame has been completely parsed, and the information word processing flag (isinfotrans) is reset. The next frame should be the synchronization word, and the data frame transmitted from the RTU is processed according to the above steps.
7.6 Implementation of Remote Control and CRC8 Verification
The remote control function is implemented based on the above information word processing. Statements for detecting remote control commands are set in OB1 and executed once per scan cycle. Once a remote control command from the control center is detected, the remote control selection program is invoked. Based on the remote control switch number and action requirements, a remote control selection frame is generated according to the CDT protocol format and sent out via CP340. Simultaneously, a pulse timer SP is started when the remote control selection command is issued. Within the timer period, the received information words are checked. If a correct remote control return information word is received, the remote control execution program is invoked, a remote control execution frame is generated, and sent out via CP340, completing the remote control operation. If no remote control return information is received within the timer period or the return information word verification is incorrect, the remote control operation fails.
The CDT protocol uses CRC8 checksum. Its control word and information word are (n, k) = (48, 8) code groups, with the generator polynomial g(x) = x⁸ + x² + x + 1, and the coset code ffh. Because the DB data area of the 300 PLC is very large, a lookup table method is used in the program to calculate the CRC checksum value. Table 2 shows the CRC8 checksum method for the control word or information word in the following formats.
(1) XOR 00h with the first byte data0, look up the result in the table, and get temp0;
(2) XOR temp0 and data1, look up the result in a table, and get temp1;
(3) XOR temp1 and data2, look up the result in a table, and get temp2;
(4) XOR temp2 and data3, look up the result in a table, and get temp3;
(5) XOR temp3 and data4, look up the result in a table, and get temp4;
(6) The value of the CRC8 checksum is the one's complement of temp4.
8. Conclusion
The Siemens 300 PLC and CP340 serial communication module can effectively parse the CDT protocol, thereby enabling centralized monitoring in special situations such as underground coal mine substations. This method has been successfully applied in the automation upgrade of a substation at a mine of Zaozhuang Quanxing Mining Group, with excellent results.
<Part 1>
